A Review of the Best News of the Week on Identity Management & Web Fraud

KnowBe4 Details Two-Factor Authentication Spoofing Bypass Risks (eWEEK, May 11 2018)
While two-factor authentication can minimize some password security risks, social engineering attacks can still potentially enable hackers to bypass the added protection.

Service Meant to Monitor Inmates’ Calls Could Track You, Too (The New York Times, May 17 2018)
A company catering to law enforcement and corrections officers has raised privacy concerns with a product that can locate almost anyone’s cellphone across the United States.

Twitter Will Begin Hiding All Tweets From Suspect Accounts (Wired, May 15 2018)
The goal is to identify and filter trolls and harmful users, based not on any specific tweet, but on how they use the social network holistically.


Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report


Firefox 60’s WebAuthn API: No Password Required (Infosecurity Magazine, May 10 2018)
The latest Firefox browser enables pasword-less authentication.

Airline Ticket Fraud (Schneier on Security, May 11 2018)
Every day, hundreds of people fly on airline tickets that have been obtained fraudulently. This crime script analysis provides an overview of the trade in these tickets, drawing on interviews with industry and law enforcement, and an analysis of an online blackmarket. Tickets are purchased by complicit travellers or resellers from the online blackmarket. Victim travellers obtain tickets from fake travel agencies or malicious insiders. Compromised credit cards used to be the main method to purchase tickets illegitimately.

Mexican Banks Lose Millions in SWIFT-like Attacks (Infosecurity Magazine, May 15 2018)
As many as five Mexican banks may have been targeted by what appears to be a highly co-ordinated cyber-attack in which unauthorized transfers were made to bogus accounts.

Will WebAuthn replace passwords or not? (CSO Online, May 15 2018)
Or, the password is dead – long live the password.

New Apple ID phishing operation protects web assets with AES encryption (SC Magazine, May 11 2018)
A recently discovered email phishing campaign was found targeting Apple ID credentials, while using AES encryption to thwart active countermeasures against their malicious website.

Humans Only: Duo Mobile and Android Protected Confirmation (The Duo Blog, May 10 2018)
Duo has been working with Google since late last year on the Android Protected Confirmation API available in Android P, helping provide Google with feedback as part of Google’s early technology preview program.

Auth0 snags $55M Series D, seeks international expansion (TechCrunch, May 15 2018)
Auth0, a startup based in Seattle, has been helping developers with a set of APIs to build authentication into their applications for the last five years.

Phishers increasingly targeting cloud storage and SaaS (Help Net Security, May 17 2018)
…notable increases in phishing campaigns that target SAAS/webmail providers, as well as increased attacks on financial / banking targets and cloud storage and file-sharing sites. But banks remain the most popular targets, with phishers stealing customers’ online banking credentials.

Rights Group Calls for End to Police Facial Recognition (Infosecurity Magazine, May 16 2018)
Face Off report claims false positives can reach 98%

Nest turns up the temperature on password reusers (Naked Security – Sophos, May 14 2018)
Nest’s advice to its users gets a thumbs-up from the Online Trust Alliance.

Facebook Suspends 200 Apps Over Data Misuse (SecurityWeek, May 14 2018)
Facebook said Monday it has suspended “around 200” apps on its platform as part of an investigation into misuse of private user data.

Facebook crushes 583 million fake accounts in 3 months (Naked Security – Sophos, May 17 2018)
On a daily basis, it disables millions of fake accounts before they ever hatch.

FIDO Alliance Appoints Facebook to Board of Directors (Dark Reading, May 16 2018)
Facebook joins Google, Microsoft, Amazon, and Intel, all among major influential tech companies backing FIDO authentication.

Protecting your business behind a shield of privacy (Help Net Security, May 14 2018)
Discussion with Francis Knott, the VP of Business Development at Silent Circle, to discuss the recent claims by Homeland Security that the organization has observed anomalous activity in the National Capital Region, that appears to be consistent with international mobile subscriber identity captures.

Google Makes Privacy Policy More Readable Ahead of GDPR (PCMag, May 11 2018)
Its new Privacy Policy—slated to take effect on May 25 to coincide with Europe’s General Data Protection Regulation—should be a lot more readable than the old one.

Combating fraud and money laundering with graph analytics (Help Net Security, May 15 2018)
New ideas have emerged to tackle the AML challenge. These include: semi-supervised learning methods, deep learning based approaches and network/graph based solutions. Such approaches must be able to work in real time and handle large data volumes – especially as new data is generated 24/7.

Using Personal Identity Verification (PIV) Credentials to Enable Passwordless Authentication (Okta, May 16 2018)
In 2004 President George W. Bush issued Homeland Security Presidential Directive 12 (HSPD 12) that mandated all federal employees and contractors to be given a common identification card that can be used anywhere and everywhere…